Cyberattacks against enterprise targets have increased as a result of the lockdown. They were already on the increase before enterprises sent large numbers of workers home and put them on remote working. Since then, the number of attacks has accelerated, and it has exposed weaknesses and issues in IT security programmes.
The details of the increasing number of attacks come in the latest VMware Carbon Black Global Threat Report: Extended enterprise under threat (registration required). There are several versions of the report broken down by country. What they show is a global increase in attacks and breaches that has accelerated in the second quarter of 2020. The original survey took place in March, but as lockdown orders took hold in April, additional questions were asked of 1,000 participants.
To get a greater understanding of the survey numbers, Enterprise Times talked with Rick McElroy, Cyber Security Strategist at VMware Carbon Black,
Key findings from the report
While not long, the report is stacked full of stats. Some of them are as expected, such as an increase in attacks over previous iterations of this report and some of them new. Some of the more interesting ones are:
- Attack numbers are up with 94% of organisations admitting to a data breach in the last year.
- The average organisations has suffered 2.17 breaches which is a decline over previous years.
- 80% of respondent say attacks are more sophisticated, while 18% say they are significantly more advanced.
- OS vulnerabilities are the cause of 18% of attacks suggesting patching is still far from effective.
- Island hopping, where attackers establish a foothold in one network before moving to another, made up just 4.5% of attack but were responsible for 13% of breaches. As manufacturers go back to work, there is an expectation that island hopping attacks through the supply chain will rise throughout 2020.
- Phishing and ransomware attacks have dropped from 34% and 18% respectively to just 6%.
- 96% of organisations plan to increase cybersecurity spending. However, there has been a spike in job losses among cybersecurity teams, so where is that spend going? According to the report, it is going on threat hunting as it is seen as being effective in detecting malicious actors already in the system.
- 93% of organisations have been targeted by malware using COVID-19 lures.
Work from Home is the epicentre of cyberattack activity
One repeat statistic is the increase in attacks as a result of employees working from home. This report puts it at 91% of respondents seeing a risk with 5% citing an increase in attacks of 50-100%. A quarter said attack volumes had increased 25-49%. Enterprise Times asked McElroy, what was driving this?
“Across the board, everybody says their plans could have been better. It speaks to a number of different things. You had people with NOC solutions, where I can only access the system from this one room in a building because it’s wired. Then we broke all of that.
“We saw Healthcare take on some new risks by sending people home and they didn’t have fax machines. They had to pivot to email and saw a lot of email compromises.
“We broke a lot of things like DLP and visibility from an endpoint perspective is broke. Teams are scrambling to either get new licences out there. We see is VDI as a solution. Tons of people have started putting that in to help secure one system, allow everybody remote access to it and harden it.”
Disaster recovery plans explicitly deal with the loss of premises where people suddenly need remote access. Why were companies so unprepared?
“I think our planning as a country was probably poor. For most organisations, they had planned in scenarios like regional outages. In California, every company has a plan for a forest fire. But pandemics? The largest logistics company probably had a pandemic on their risk register, but that’s it.”
Are layoffs a risk to cybersecurity?
There have been many stories of people being taken out of the Security Operations Centre and cybersecurity teams and put into general IT. Much of this was to help set up new laptops to ship to staff or walk users through how to connect from home. It left cybersecurity teams severely weakened at a time of increasing attacks. Now we see layoffs in those teams. What is happening?
“What I hear is everybody was asked to pull money out of their budget. If I’m protecting my internal staff, it’s one of the first places I cut. I don’t agree with that as a rule, but I’ve had to do it in times of budget downturns. The report shows that in March, people expected an increase in infosec.
“One of the impacts over the last couple of months has been everybody’s had to pony up money. I haven’t talked to one person who hasn’t a net increase in their security budget. When there is a return to business, you’re going to see cloud security providers and manage security service providers getting deals. Companies are quicker to implement them than they were before.
“It’s good news for anybody hiring. There’s a lot of talent available. Unfortunately, you have to look at it like this too; our overall salaries will come down. There’ll be some top talent that’s reasonably affordable, and you’re gonna continue to see a massive consolidation in infosec. There are so many companies who were waiting for that next big customer or waiting for the next round of funding, and the funding is drying up as we speak. Continued consolidation will mean there is a lot of talent on the market.”
Are the toolsets too complicated?
One of the ongoing challenges for cybersecurity teams has been the toolsets they use. Some go for a best of breed approach and the roll their own solution. Others buy in platforms and add in third-party point solutions to fill gaps. None of this is easy, and it all costs money and time to learn and master. Do we need to start thinning out the tools to do a better job?
“You’re gonna see distinct verticals start to collapse. People talk about SOAR and SIEM as two different products, and you’ll see that start to collapse. Every product must have some orchestration piece to it. To your point about simpler, our perspective is this; Yeah, it’s hard, too complex, there are too many things. The IT staff has limited tools and should be making some security efforts, and we should make all of this start to start to work together.
“The journey we’re on is to start doing that for customers. We’re already increasing security. Now we are looking at how we make the management of all of that easier. VMware has unique control points and is well-positioned to do that. Microsoft’s been on that path for a while and Cisco, a few years ago, said, “Hey, what if you trusted one company to your security?”
“I probably won’t ever land in the bucket of one company being your sole security provider. But I do think when it comes to workloads, desktops and laptops, we’ve got to make that way easier. We’ve got to normalise the environment and get better pattern detection. Then, for any vendor out there, it’s reduce the number of false positives. We’re sending too much work to people, and it’s not meaningful.”
How do we improve security?
As an industry, we talk about user education as if it is a magic bullet. Yet many of the systems we use don’t help. In the report, you talk about the lack of multi-factor authentication, but it’s not just the software landscape that is a problem. We are relying on the hardware our users own. It doesn’t seem the smartest option.
“It all starts with communications such as fundamentally assuming that home routers have been owned for a long time. Some people are suggesting sending a secondary work router that might not be managed, but the company knows the baseline and version of firmware they are on.
“Then there is the neighbour who works in the backyard and has conversations that might be sensitive. They might have secure software to conference with, but they have to be using it in a secure place.
“As a security professional, we have to assume people are going to use any and all comms to keep business up and running. They’ll use the easiest tool they have. We have to fundamentally rethink all of those comms. What do you do when your load balancers have a remote code execution that can get to everything on your network? I think the future is like an abstraction of all of it. Software-defined networking will attempt to fix it, but then that’s a whole lot of code that we have to make sure is written correctly.”
Enterprise Times: What does this mean?
Cyberattacks are on the increase because cybercriminals are opportunists. COVID-19, a change of working environments, companies scrambling to stay alive – all of this creates opportunity. What is important is how we deal with it.
This report from VMware Carbon Black provides some key stats that security teams and CISOs should be dealing with. For those operating internationally, comparing all the reports to get country variances is essential. Types of attack differ by country. In a global economy, understanding that matters. A weakness in one country leaves your supply chain exposed. An attack that gives malicious actors a foothold in a supplier allows them to expand their cyberattack.
In most cases, this starts with reconnaissance. It is often followed by island hopping and looking for OS utilities that they can take control off. This move to living off the land makes attacks very hard to spot. OS patching has to be the start point to prevent that foothold, but it is not the only thing that companies need to do. They need to focus on the internal network and threats, not just external.
One thing that has made this hard is the increasing complexity of the cybersecurity toolkits cybersecurity teams use. They create confusion, and that creates more opportunity for attackers. As McElroy pointed out, simplifying the tools landscape inside the enterprise makes sense.
As we look forward to work from home, becoming the norm, not the privileged exception, the extended enterprise will continue to come under attack. If you do not address your current weaknesses, you can expect to see repeated successful cyberattacks.